On 28/07/2024 13:20, Michael Catanzaro wrote:
On Sun, Jul 28 2024 at 11:37:15 AM +02:00:00, Arthur Bols via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Aside that this does not contribute to the discussion at all, I believe
it is reasonable to assume that the default firewall rules are strict
enough to not open all ports above 1024... That being said, it's an
example, and those servers are listening on localhost.
This discussion comes up every few years. Suffice to say: a firewall
that blocks users from using software is a firewall that's not
suitable for Fedora Workstation. Unlike server users, desktop users
don't know what ports are and don't expect to have to modify firewall
rules to run a new service.
You say "unsafe" but it's only unsafe if you have software listening
on those ports. And if you have software listening on those ports,
surely you want it to work rather than be blocked? If you have
software listening that you *don't* want to work, then why do you have
it listening in the first place!
Thank you for the insight. When I posted, I assumed other distributions
had stricter default configurations. However, it seems Fedora is one of
the few that blocks some traffic by default (even Ubuntu accepts
everything by default).
I understand the reasoning behind the current configuration, but I think
the reality doesn't quite match the idea. The firewall does prevent
users from using certain software. For example, if you're trying to set
up an HP printer, you'll need to enable the SLP/MDNS services to get it
working if you're following the setup wizard.
Also, why do we even have any rules if nothing is listening? One could
argue that it's a security tradeoff, but I wonder if it might do more
harm than good by giving users a false sense of security.
It's been about 10 years since we established this firewall
configuration, and I haven't seen much interest in developing a
smarter stricter firewall, so this is what we're left with.
Maybe you're right; without a smarter firewall, there isn't a better
solution. Fedora has always been about being "first". Perhaps there's a
way to educate users on configuring the firewall when needed (for most
things it should just be checking a box in firewall-config)? However, I
have no idea how much it would hinder the average Fedora user, as the
only thing listening on my pc is KDE Connect... Unfortunately, security
is always the first thing to go out the window.
Arthur
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
